serve-static icon indicating copy to clipboard operation
serve-static copied to clipboard

Published 20 hours ago verified publisher icon nestjs

fix(deps): update dependency path-to-regexp to v1 [security]

Open renovate[bot] opened this issue 1 year ago • 16 comments

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
path-to-regexp 0.2.5 -> 1.9.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-45296

Impact

A bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b.

Patches

For users of 0.1, upgrade to 0.1.10. All other users should upgrade to 8.0.0.

These versions add backtrack protection when a custom regex pattern is not provided:

They do not protect against vulnerable user supplied capture groups. Protecting against explicit user patterns is out of scope for old versions and not considered a vulnerability.

Version 7.1.0 can enable strict: true and get an error when the regular expression might be bad.

Version 8.0.0 removes the features that can cause a ReDoS.

Workarounds

All versions can be patched by providing a custom regular expression for parameters after the first in a single segment. As long as the custom regular expression does not match the text before the parameter, you will be safe. For example, change /:a-:b to /:a-:b([^-/]+).

If paths cannot be rewritten and versions cannot be upgraded, another alternative is to limit the URL length. For example, halving the attack string improves performance by 4x faster.

Details

Using /:a-:b will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/. This can be exploited by a path such as /a${'-a'.repeat(8_000)}/a. OWASP has a good example of why this occurs, but the TL;DR is the /a at the end ensures this route would never match but due to naive backtracking it will still attempt every combination of the :a-:b on the repeated 8,000 -a.

Because JavaScript is single threaded and regex matching runs on the main thread, poor performance will block the event loop and can lead to a DoS. In local benchmarks, exploiting the unsafe regex will result in performance that is over 1000x worse than the safe regex. In a more realistic environment using Express v4 and 10 concurrent connections, this translated to average latency of ~600ms vs 1ms.

References

Release Notes

pillarjs/path-to-regexp (path-to-regexp)

v1.9.0: Fix backtracking in 1.x

Compare Source

Fixed

v1.8.0: Backport token to function options

Compare Source

Added

  • Backport TokensToFunctionOptions

v1.7.0

Compare Source

  • Allow a delimiter option to be passed in with tokensToRegExp which will be used for "non-ending" token match situations

v1.6.0

Compare Source

  • Populate RegExp.keys when using the tokensToRegExp method (making it consistent with the main export)
  • Allow a delimiter option to be passed in with parse
  • Updated TypeScript definition with Keys and Options updated

v1.5.3

Compare Source

  • Add \\ to the ignore character group to avoid backtracking on mismatched parens

v1.5.2

Compare Source

  • Escape \\ in string segments of regexp

v1.5.1

Compare Source

  • Add index.d.ts to NPM package

v1.5.0

Compare Source

  • Handle partial token segments (better)
  • Allow compile to handle asterisk token segments

v1.4.0

Compare Source

  • Handle RegExp unions in path matching groups

v1.3.0

Compare Source

  • Clarify README language and named parameter token support
  • Support advanced Closure Compiler with type annotations
  • Add pretty paths options to compiled function output
  • Add TypeScript definition to project
  • Improved prefix handling with non-complete segment parameters (E.g. /:foo?-bar)

v1.2.1

Compare Source

  • Encode values before validation with path compilation function
  • More examples of using compilation in README

v1.2.0

Compare Source

  • Add support for matching an asterisk (*) as an unnamed match everything group ((.*))

v1.1.1

Compare Source

  • Expose methods for working with path tokens

v1.1.0

Compare Source

  • Expose the parser implementation to consumers
  • Implement a compiler function to generate valid strings
  • Huge refactor of tests to be more DRY and cover new parse and compile functions
  • Use chai in tests
  • Add .editorconfig

v1.0.3

Compare Source

  • Optimised function runtime
  • Added files to package.json

v1.0.2

Compare Source

  • Use Array.isArray shim
  • Remove ES5 incompatible code
  • Fixed repository path
  • Added new readme badges

v1.0.1

Compare Source

  • Ensure installation works correctly on 0.8

v1.0.0

Compare Source

  • No more API changes

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate[bot] avatar Sep 09 '24 23:09 renovate[bot]

Any chance this will be merged soon? @micalevisk I saw you contribution here and this is basically the same vulnerability: https://github.com/nestjs/nest/pull/13971

oFlo193o avatar Sep 16 '24 14:09 oFlo193o

@oFlo193o should be but there is no ETA.

micalevisk avatar Sep 16 '24 14:09 micalevisk

tbf, I'm not sure if we can just merge this because we are moving from v0 to v1 here.

micalevisk avatar Sep 16 '24 14:09 micalevisk

@micalevisk It is save to update as per https://github.com/pillarjs/path-to-regexp/pull/320#issuecomment-2353688832

oFlo193o avatar Sep 16 '24 19:09 oFlo193o

Hoping to see this merged soon, too 👍

According to the PR comment linked by @oFlo193o it would indeed seem that there were no API changes between 0.2.5 and 1.0.0 so this should be safe to merge? See https://github.com/pillarjs/path-to-regexp/blob/7aff887e73ee8bca5cc98ee6239616da07eb8523/History.md#100--2014-08-17

joonashak avatar Sep 18 '24 18:09 joonashak

any update? :)

BeataKr avatar Sep 20 '24 11:09 BeataKr

Looking for an update on this as well 👀

JesseObrien avatar Sep 25 '24 17:09 JesseObrien

Yes, it would be nice to have it merged, since using "override" in the root package.json is not working and this is reported as a high-risk CVE.

kekiel avatar Sep 26 '24 09:09 kekiel

Any predictions for this pr to be integrated?

CleberL avatar Sep 27 '24 14:09 CleberL

Reviewers have accepted the change. Can you please merge this @micalevisk I am also looking for this change.

GowthamanT avatar Oct 01 '24 14:10 GowthamanT

Only Kamil can merge PRs

micalevisk avatar Oct 01 '24 14:10 micalevisk

I'm not sure if we can address this issue without introducing breaking changes

micalevisk avatar Oct 01 '24 14:10 micalevisk

Hey guys, looking for an update on this as well

lethanhan97 avatar Oct 03 '24 05:10 lethanhan97

when i try to change dependencies i faceed an issue - https://stackoverflow.com/questions/79051743/npm-override-overrides-not-only-the-package-i-specify , npm override change not only specified package but others too, some ideas how to fix it?

Zimovets avatar Oct 04 '24 09:10 Zimovets

any updates?

pyr3-dev avatar Oct 05 '24 13:10 pyr3-dev

This would introduce a breaking change so we need to wait till the next major release

kamilmysliwiec avatar Oct 21 '24 10:10 kamilmysliwiec